Updated JBoss Enterprise Application Platform packages that fix several
security issues and bugs are now available for Red Hat Application Stack v1
This update has been rated as having moderate security impact by the Red Hat
Security Response Team.
The updated packages address the following security vulnerabilities:
Tomcat incorrectly treated a single quote character (') in a cookie value
as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker (CVE-2007-3382).
Tomcat incorrectly handled the character sequence \" in a cookie value. In
some circumstances this lead to the leaking of information such as session
ID to an attacker (CVE-2007-3385).
In addition to these security fixes, this update also fixes several bugs in
JBoss Enterprise Application Platform. Please see the referenced release
notes for the list of bugs fixed.
Users of JBoss Enterprise Application Platform should upgrade to these
updated packages which contain fixes to correct these issues.
For users of Red Hat Application Stack v1, installation of this errata will
automatically bring the system up to V.1.2. Please note the following
changes that may affect you:
- Stacks V.1.2 has a new version of JBoss Application Server which
requires Java version 1.5 to run.
- Unless the JBOSS_IP variable is explicitly set in the configuration
file, JBoss Application Server services are now bound to localhost.
- Unless the JBOSSCONF variable is explicitly set in the configuration
file, JBoss Application Server will start with the production config
when started via the init script.
Refer to the release notes for more information on how to set the
JBOSS_IP and JBOSSCONF variables.